​Training the next generation or abolition of the Australian 457 visa

Without consultation or warning, the Australian Government has decided to abolish the speciality skilled migration 457 visa system.

There is currently a great deal of confusion, but it seems that the current plan is that there are two lists of skills shortages eligible for varying lengths of temporary stay and migration outcome:

The Short Term Combined Skills Shortage list lists IT security professionals (ANZSCO code 262112). Folks sponsored on this visa are eligible for a two year visa and then they need to return home. This visa category does not lead either to permanent residency or eventual citizenship.

The Medium and Long-term Strategic Skills List, which allows 457 visas to be granted for four years. As this category stands today (20th April 2017), this list has no IT security professional category, despite our industry lacking tens of thousands of workers. Migrants employed under this skills list can lead to permanent residency and eventual citizenship.

As a profession, we have been overlooked. Abandoned, even. IMHO, with this change, Australia is being cut off from the world without adequate notice. We haven’t planned for this, and so it’s going to be chaotic and an extremely tight market for a while as we transition to not being able to hire immigrant workers.

Where to start? Well, in the olden days, folks with an interest in security sort of fell into it. Back then, it was the wild west. It could easily end up that way again. I think we can do better, but we need to address the skills pipeline, starting with Universities popping out rounded students who have a holistic and deep understanding of many areas of IT Security, and not just one small element of it.

It’s difficult to hire juniors today. They exist, but the problem is that clients often expect the “A” team, and will ring you up after a gig if they are unhappy for whatever reason with a consultant and ask that they don’t return. After a few of those calls, and we’re in deep scheduling do-do. We do take the opportunity to learn from these calls, but it can be risky to hire someone who might have talent but needs more experience. Soon, we will have no choice, and clients will have no choice but to accept juniors and fee rises as we increase the use of shadowing.

In the past, it was difficult with the ever downward pressure on fees to allow shadowing, which is the usual way of imparting knowledge on the job. It’s inappropriate to send in folks who can take out a client’s network or application without realising it. The Dunning Kruger effect in IT security is particularly harsh, and it can end your career if you’re not protected. It’s a difficult lesson to learn, and the best people learn the most in the hardest possible way. The only way to minimise this risk is adequate early training and shadowing for at least 6-12 months. And even then, there will still be mistakes.

The lack of juniors is a curse on our industry today – we let it get like this, firstly by allowing clients to choose consultants rather than the team, and secondly, by not taking chances on juniors and understanding that for a couple of years, they will need to be shadowing someone before it’s safe to let them take on a job by themselves.

We created this skills shortage by not demanding that our universities produce graduates with adequate rounded individuals that we then could layer on top industry needs, like sound consulting behaviors, people soft skills, and writing skills.

Australian universities do not have many degrees in IT security, and those who do offer units here and there, or if they offer a major stream (and a few do, like UNSW), they concentrate on what I affectionately call “ethical hacking” rather than the full suite of our profession. I applaud the fact that at long last, we are seeing some IT security majors, but the subject matter leaves a great deal to be desired. Universities aren’t vocational schools, and yet many are pumping out vocationally trained individuals. As an industry, we need both rounded and vocationally trained graduates, with life long learning beaten into them with a healthy start on the ol’ Dunning-Kruger curve.

Folks from these degrees often need a lot of training to get them client ready, so again, I think we need to work with higher education to produce fewer hackers and more security professionals, with a depth of skills across the IT security spectrum that will stand the test of their entire career, rather than for example folks with good CTF skills or the ability to deep dive into X86 reverse engineering.

We need to engage with the University sector to get new degrees going in 2018, and for them to aggressively recruiting new students as a matter of priority:

Governance, risk and compliance

Identity and access management

Privacy and data protection

Enterprise and Cloud Security Architecture

SSDL and Secure coding

Application and mobile security

Systems and DevOps Security

Defences against the dark arts (Blue team)

Red teaming (ethical hacking)

DFIR, and malware analysis

Managing security – BAU IT Security Management and CISO

Critical Infrastructure Security (OT security, SCADA security, etc)

We will have to concentrate on the more esoteric and necessary fields later, such as IoT security and embedded systems.

We have less than two years to graduate students through a three year undergraduate program that does not exist today, employ them as juniors, and train them in what we do.

I’ve said many times I can take a developer and turn them into a security pro in relatively short order (3-12 months max), but I cannot teach three years of programming to a security pro.

For a while, I fully expect the current 0% unemployment rate in our field to become negative unemployment, with out of control wages growth as fewer folks will be around to fulfil an ever increasing number of FTE requirements. We might need to work together between security consultancies to share staff or similar, I’m sure there will be consolidation of consultancies and friendly alliances. I also bet there will be opportunistic recruiters setting up consultant farms to help folks get the best price in a really tight market. Good for them, market forces working for everyone.

As a global Board member of OWASP (speaking in a personal capacity), I can help bring together experts in application security and drive those syllabuses in SSDL, secure coding, application and mobile security, which is a critical skill for nearly all firms that produce software and security boutiques alike.

I call on the Universities, ACSC, AISA, OWASP, and lastly ACS to lead this charge and to engage with higher education to start the process. We must work together as an industry and higher education to build out these many syllabuses, and get the word out to prospective Uni students that IT security is a great field with immense prospects.

The imminent abolition of IT security immigrant visas is both terrifying and exciting, because finally, we don’t have any choice – the entire lifecycle of our industry has to grow up and REALLY fast.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.